Cynerio detects JekyllBot:5 vulnerabilities in Aethon TUG smart autonomous robots deployed across hospitals
Healthcare IoT security company Cynerio has discovered, exploited and revealed five zero-day vulnerabilities, collectively known as JekyllBot:5, which affect commonly used robots found in hundreds of hospitals worldwide. The security loopholes were discovered by the Cynerio Live research team in the Aethon TUG smart autonomous robots, which could allow attackers to circumvent security and remotely surveil and interact with patients, tamper with medication distribution, and disrupt day-to-day hospital operations.
The Aethon TUG smart mobile robots are deployed globally across hundreds of hospitals to deliver medicine and maintenance supplies and perform simple tasks. They are made up of a diverse collection of sensors and cameras that enable them to move around a hospital without much human intervention. They can autonomously direct themselves without bumping into anything or anyone.
“The JekyllBot:5 vulnerabilities were discovered by the Cynerio Live research team and reside in the TUG Homebase Server’s JavaScript and API implementation, as well as a WebSocket that relied on absolute trust between the server and the robots to relay commands to them,” Cynerio said in a company blog post. This highlights that the major security issue at the core of the robots’ operating system was exposed by the vulnerabilities, as the security components underpinning Aethon TUG devices were located in the JavaScript running in the browser of the user connected to their portal.
“This meant that all security measures in place for these devices could be bypassed, and that every action Cynerio researchers subsequently tested was not validated or checked by the system. The attack scenarios laid out in more detail below all flowed from this fundamental flaw,” the company added. The vulnerabilities impacted all versions of the robots prior to version 24, and pose a significant risk to all of the impacted Aethon TUG robots that have not been updated or patched.
The five vulnerabilities roughly fall into two main categories of vulnerabilities. The first classification permits unauthorized access to the online web management console of the robots through open HTTP ports that allow all security on the devices to be bypassed and enable their remote control by potential attackers. The second category is those vulnerabilities that facilitate malware injection attacks resulting in unauthorized access to the computers of staff managing the robots.
With a high CVE score of 9.8. Cynerio said that some of the more severe attack scenarios at risk by potentially exploiting the JekyllBot:5 vulnerabilities include disrupting or impeding the timely delivery of patient medications and lab samples essential for optimal patient care. It may also interfere with critical or time-sensitive patient care and operations by shutting down or obstructing hospital elevators and door locking systems, monitoring or taking videos and pictures of vulnerable patients, staff, hospital interiors, and sensitive patient medical records.
In addition, the JekyllBot:5 vulnerabilities can control all physical capabilities and locations of the robots to allow access to restricted areas, interaction with patients, or crashing into staff, visitors, and equipment. It can also potentially hijack legitimate administrative user sessions in the robots’ online portal and inject malware through their browser to perpetrate further cyberattacks on IT and security team members at healthcare facilities.
Cynerio researchers found that attackers could potentially manipulate these sensors and cameras through multiple vulnerabilities that allow them to gain unauthorized access to the robots’ command and control console, get full control of the robot fleet’s movements and actions, directly interfere with patient care and data, and inject malware into legitimate user devices utilized to access the console.
Cynerio Live discovered the vulnerabilities while carrying out deployment for a customer hospital. Aethon TUG robots communicate over Wi-Fi, which must be converted to ethernet when the fleet management system is accessed, according to additional material released by Cynerio on the vulnerabilities.
“Late last year, a Cynerio Live researcher detected anomalous network traffic that seemed to be related to the elevator and door sensors. That in turn led to an investigation that revealed a connection from the elevator to a server with an open HTTP port, which then gave the researcher access to a company web portal with information about the Aethon TUG robots’ current status, hospital layout maps, and pictures and video of what the robots were seeing. Subsequent research revealed that control of the robots was also possible through this unauthorized access,” it added.
Further digging revealed some basic HTML vulnerabilities on the Aethon TUG web portal page that affect any authorized user logging into it, Cynerio said. The vulnerability allowed an attacker to insert malicious javascript code on the report requester’s browser whenever they logged in. This would allow attackers to inject malware on any computer seeking to obtain data about Aethon TUG robots, it added.
“These zero-day vulnerabilities required a very low skill set for exploitation, no special privileges, and no user interaction to be successfully leveraged in an attack,” Asher Brass, lead researcher on the JekyllBot:5 vulnerabilities and head of cyber network analysis at Cynerio, said in a media statement. “If attackers were able to exploit JekyllBot:5, they could have completely taken over system control, gained access to real-time camera feeds and device data, and wreaked havoc and destruction at hospitals using the robots,” he added.
The device manufacturer has mitigated the JekyllBot:5 vulnerabilities following Cynerio’s disclosure of the risks through the CISA Coordinated Vulnerability Disclosure process, Cynerio said. “Several patches have been applied to the robot fleets at each Aethon customer hospital, including one major patch that required replacing firmware and an operating system update for robots at some hospitals. In addition, Aethon was able to update the firewalls at particular hospitals known to have vulnerable robots so that public access to the robots through the hospitals’ IP addresses was prevented as the fixes were rolled out,” it added.
In February, the U.S. Department of Health and Human Services (HHS) said that it had received reports of data breaches from 578 healthcare organizations in 2021, impacting over 41.45 million individuals. Additionally, the agency revealed that 38 organizations affecting close to two million individuals were already targeted by data breaches last month, indicating that the cybercriminals intend to continue carrying out cyberattacks against the healthcare sector in 2022.
Cynerio revealed in January that under-addressed risks, threats, and security issues related to the healthcare IoT environments, as critical medical device risks continue to leave hospitals and their patients vulnerable to cyber-attacks and data security issues. Based on information collected from millions of connected devices at hundreds of hospitals in the U.S. and worldwide, Cynerio found that over 50 percent of connected devices have critical risks present in a typical hospital setup.
Related
